AI Security Is Splitting Into Two Fronts: Governance Controls and Exploitable Plumbing

John Z Black Mar 20, 2026 AI Security #ai-security #ai-governance #spring-ai #vector-store-security #zero-trust #agentic-iam

AI security is splitting into two jobs that have to run together.

First is governance: guardrails, permissions, oversight, and clear operating rules for agents. That work is necessary and overdue.

Second is the less glamorous part: exploitable plumbing. Recent Spring AI vulnerabilities and wider advisory churn are a reminder that polished governance does not patch weak code.

If you only fund the policy side, you still lose through dependencies. If you only fund appsec, you still lose control over agent behavior.

Treat AI security as four linked layers: governance, identity, application security, and detection. Then enforce production gates across all four.

Well-governed systems still fail when the underlying software is brittle. Run both tracks or expect a very avoidable post-incident briefing.

Read the full AI security two-front breakdown